Issue List
VWE-2019-5363 is a Permissions Escalation issue, where users are able to make unmoderated edits to the index and area pages, as long as they can make unmoderated edits to regular pages. The issue affects all versions of the 4.x series.VWE-2019-5360 is a Permissions Escalation issue, where users can accidentally rename pages with HTML entities in the title, even if they don't have permission to rename pages. The issue affects all versions of the 4.x series.
VWE-2019-5375 is a Permissions Escalation issue, where regardless of other applicable types, users can rename any attachment as long as they have permission to rename attachments, and can rename other types of pages as long as they have permission to rename regular pages. The issue affects all versions of the 4.x series.
Patches
The following patches address the aforementioned issues:- 4.0.27 Patch Level 1
- 4.0.26 Patch Level 3
- 4.0.25 Patch Level 5
4.1.x Issues
Since beta versions are not subject to the same patching policy as stable versions, the following issues will be patched in the next release of the 4.1.x branch, 4.1.0 Beta 4, in addition to any relevant issues listed above.VWE-2019-5361 is a Permissions Escalation issue, where users can create new collaborative feeds in no area without awaiting approval, as long as they have global permissions to create collaborative feeds. The issue affects 4.1.0 Alpha 1 and higher.
VWE-2019-5391 is a Phishing issue, where user-positioned elements are not restricted within the relevant position's container. The issue affects 4.1.0 Alpha 1 and higher.